Title: mashing OpenWPM for fun and profit
Time: 10:00
Location: Acadia Lab, Building Zeta
Type: Research talk
Speaker: Hugo Jonker
Abstract:
Web bots are a widely recognized tool to conduct empirical studies in the World Wide Web. OpenWPM is a framework that uses a web bot framework to facilitates web measurements. It is used in at least 46 scientific studies. However, there are clear indications that web sites attempt to recognize web bots and thereupon serve deviating content or block bots. Due to browser fingerprinting, this can already happen with the first call of a web page. For doing so, a web server attempts to retrieve unique properties that distinguish a web bot from human-controlled web browsers. To what extent OpenWPM is vulnerable to fingerprint-based detection has yet not been questioned.
In this talk, I will present our investigation of detecting OpenWPM users based on their fingerprints. For that, we conduct a systematic analysis of the OpenWPM system architecture. We determine unique properties in OpenWPM’s fingerprint by applying fingerprinting and template attack tools for each component of OpenWPM. Our study reveals over 2K not-yet known properties, that would allow any web server to detect OpenWPM users. We show that most differences in OpenWPM result from automation components or the Firefox headless mode. Nevertheless, some deviations only occur in OpenWPM and could also be used to distinguish OpenWPM from ordinary bots. For demonstration purposes, we develop a web application that detects OpenWPM-based web clients and delivers manipulated content to them.
Tag Archives: Security
18/11/2019 – Talk by Hugo Jonker
Title: Shepherd – an automatic and large-scale study of website login security
Time: 9:30
Location: Acadia Lab, Building Zeta
Type: Research talk
Speaker: Hugo Jonker
Abstract:
Logging in on websites is common. However, it wasn’t always secure – as FireSheep showed dramatically in 2010. A malicious agent could simply eavesdrop on WiFi traffic and steal credentials of logged-in users. In response to FireSheep, major websites fixed their login security. However, it remains unclear whether others followed suit.Investigating this scientifically is fraught with challenges: acquiring passwords, automating logins on unknown websites, etc.
In this talk, we present Shepherd, the result of a 2 year engineering effort to automate website logins. Moreover, we will present and discuss the results of a security scan with Shepherd, which showed that out of 7,113 sites where login was successful, 2,417 (34%) is still vulnerable to some variant on the FireSheep attack.
30/11/2018 – Talk by Manali Chakraborty
Title: An Intelligent Framework for Managing Smart Power Grid
Time: 12:00
Location: Meeting Room B, Building Zeta
Type: Research talk
Speaker: An Intelligent Framework for Managing Smart Power Grid
Abstract:
The increasing dependability on the communication network makes Smart Grid vulnerable towards several cyber security threats. Advanced metering infrastructure (AMI) is arguably the most important and critical part of Smart Grid. AMI deals with the most sensitive information in the Grid and transmits them through the network. There already exist a good number of security solutions for AMI. However the percentage of security attacks is also increasing day by day and so does the innovative and intelligent ideas behind those attacks. As the inherent characteristics of Smart Grid is quite unique and different from traditional IT networks, the existing solutions fall short to handle these Smart Grid specific problems. Besides, balancing the supply-demand ratio in the Smart Grid considering all these odds, is far from being an easy job and requires additional technological support. Moreover, in order to maximize the benefits of Smart Grid, it is utmost important to connect and manage all the components and devices in the grid. This work in this thesis focuses on the feasibility of improving the security and autonomic functionalities of Advance Metering Infrastructure (AMI) in Smart Grid. The work can be broadly categorized into three parts depending on the concerned functionality of AMI.
10/10/2018 – Talk by Gianluca Caiazza
Title: Supporting security of robotic software: access control policies and immutablezation of log records
Time: 14:30
Location: Meeting Room B, Building Zeta
Type: Research talk
Speaker: Gianluca Caiazza
Abstract: Security of robotics systems, as well as of the related middleware infrastructures, is a critical issue for industrial and domestic IoT applications, and it needs to be continuously assessed throughout the whole development lifecycle. Furthermore, logging is crucial in robotics research, providing prolonged insights into a robot’s situational understanding, progression of behavioral state, and resulting outcomes. Such recordings are invaluable when debugging complex robotic applications or profiling experiments ex post facto. The next generation open source robotic software stack, ROS2, is now targeting support for Secure DDS, providing the community with valuable tools for secure real world robotic deployments. However, given the growing number of high profile public incidents involving self-driving automotives, resulting in fatality or regulatory policy making, it is paramount that the integrity, authenticity and non-repudiation of such system logs are maintained to ensure accountability. Being mobile cyberphysical systems, robots present new threats and vulnerabilities beyond traditional IT: unsupervised physical system access or postmortem collusion between robot and OEM could result in the truncation or alteration of prior records. In this seminar, we discuss a framework for procedural provisioning access control policies for robotic software, as well as for verifying the compliance of generated transport artifacts and decision point implementations. Moreover, we address immutablezation of log records via integrity proofs and distributed ledgers with special consideration for mobile and public service robot deployments.
Alert: the seminar has been rescheduled from 13:30 to 14:30
18/01/2018 – Talk by Amit Mandal
Title: Vulnerability Analysis of Android Auto Infotainment Apps
Time: 13:00
Location: Meeting room B, Building Zeta
Type: Research result
Speaker: Amit Mandal
Abstract: With over 2 billion active mobile users and a large array of features, Android is the most popular operating system for mobile devices. Android Auto allows such devices to connect with an in-car compatible infotainment system, and it became a popular choice as well. However, as the trend for connecting car dashboard to the Internet or other devices grows, so does the potential for security threats. In this paper, a set of potential security threats are identified, and a static analyzer for the Android Auto infotainment system is presented. All the infotainment apps available in Google Play Store have been checked against that list of possible exposure scenarios. Results show that almost 80% of the apps are potentially vulnerable, out of which 25% poses security threats related to execution of JavaScript.
[paper just presented at ACM Computing Frontiers 2018]
02/03/2018 – Talk by Enrico Steffinlongo
Title: Efficient security analysis of Administrative Access Control Policies
Time: 13:00
Location: Meeting room, Building Zeta
Type: Final PhD
Speaker: Enrico Steffinlongo
Abstract: In recent years access control has been a crucial aspect of computer systems, since it is the component responsible for giving users specific permissions enforcing a administrator-defined policy. This lead to the formation of a wide literature proposing and implementing access control models reflecting different system perspectives. Moreover, many analysis techniques have been developed with special attention to scalability, since many security properties have been proved hard to verify. In this setting the presented work provides two main contributions.
In the first, we study the security of workflow systems built on top of a role-based access control in the case of collusion of multiples users. We define a formal model for an ARBAC based workflow system and we state
a notion of security against collusion. Furthermore we propose a scalable static analysis technique for proving the security of a workflow. Finally we implement it in a prototype tool showing its effectiveness.
In the second contribution, we propose a new model of administrative attribute-based access control (AABAC) where administrative actions are enabled by boolean expressions predicating on user attributes values. Subsequently we introduce two static analysis techniques for the verification of reachability problem: one precise, but bounded, and one over-approximated. We also give a set of pruning rules in order to reduce the size of the problem increasing scalability of the analysis. Finally, we implement the analysis in a tool and we show its effectiveness on several realistic case studies.
11/10/2017 – Talk by Stefano Calzavara
Title: CCSP: Controlled relaxation of content security policies by runtime policy composition
Time: 12:00 (noon)
Location: ACADIA Lab., Ed. Zeta
Type: Research Result
Speaker: Stefano Calzavara
Abstract: Content Security Policy (CSP) is a W3C standard designed to prevent and mitigate the impact of content injection vulnerabilities on websites by means of browser-enforced security policies. Though CSP is gaining a lot of popularity in the wild, previous research questioned one of its key design choices, namely the use of static white-lists to define legitimate content inclusions. In this talk we present Compositional CSP (CCSP), an extension of CSP based on runtime policy composition. CCSP is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of CSP and the logic underlying policy writing. We perform an extensive evaluation of the design of CCSP by focusing on the general security guarantees it provides, its backward compatibility and its deployment cost. We then assess the potential impact of CCSP on the web and we implement a prototype of our proposal, which we test on major websites. In the end, we conclude that the deployment of CCSP can be done with limited efforts and would lead to significant benefits for the large majority of the websites.
CISPA – Meeting 10/10/2017, 10:30
CISPA SEMINARS
When: Tuesday 10 October, at 10:30 in the morning
Where: Università Ca’ Foscari, Via Torino, 155 – 30170 Venezia Mestre Sala Conferenze del campus scientifico
First seminar:
Speaker: Dr. Giancarlo Pellegrino, Research Group Leader at CISPA
Title: Automated Vulnerability Analysis for Modern Application Software
Abstract:The complexity and pervasiveness of application software are growing rapidly. Nowadays, application software encompasses multiple devices, e.g., mobile and IoT, and web services to perform operations ranging from online shopping and managing household appliances to controlling manufacturing processes. Like any other programs, application software has vulnerabilities that, when exploited, can be used for financial fraud, stealing confidential data, and industrial espionage. Unfortunately, existing automated vulnerability analysis techniques are inadequate to tackle the complexity reached by these programs, thus leaving them exposed to attackers. My main research topic intends to stop this emerging trend and lay the foundation for the next-generation automated vulnerability analysis techniques. This talk focuses on the detection power and attack surface coverage challenges and presents two recent advances in the field. The first part of the talk presents Deemon, a tool that combines dynamic analysis and property graphs to mine Cross-Site Request Forgery, a long-neglected severe vulnerability. The second part of the talk presents jAEk, a new generation web application crawler that uses JavaScript dynamic analysis to increase the covered attack surface of web applications by 80%.
Short bio: Giancarlo Pellegrino is currently a research group leader at CISPA. His main research interests include all aspects of application security especially web security and automated vulnerability analysis. He has been selected for the CISPA-Stanford Center for Cybersecurity, and he will be soon appointed to a visiting assistant professor at Stanford University. Prior to that, Giancarlo was a postdoctoral researcher at CISPA and TU Darmstadt, Germany. During his doctoral stud- ies, Giancarlo was a member of the S3 group at EURECOM, in France, under the supervision of Prof. Davide Balzarotti. Until August 2013, he was a researcher associate in the “Security and Trust” research group at SAP SE.
Contact: gpellegrino@cispa.saarland
Second seminar:
Speaker: Sandra Strohbach, Dr. Giancarlo Pellegrino
Title: CISPA – One of Europe’s leading research sites of IT security
Abstract: The public presentation offers an overview of the Center for IT security, Privacy, and Accountability – CISPA located on the Saarland Informatics Campus in Saarbrücken, Germany. Founded in 2011, CISPA has become an important address of IT security and privacy.
You can learn more about the different research areas, excellent education programmes, and career opportunities. The examples of current research projects provide an insight into our daily work.
Short bio: After her studies in translation science, Sandra Strohbach did her PhD in applied linguistics at Saarland University. At the same time, she worked as research assistant and lecturer in the department of Romanic languages. Since 2010, Sandra Strohbach has worked in the field of science management. She is an expert in the field of funding programmes and international cooperation as well as strategic development. She joined CISPA in 2017 and coordinates na- tional and international projects, among them the CISPA-Stanford Center for Cybersecurity.
Contact: strohbach@cispa.saarland
CISPA MEETING
One of Europe’s leading research sites for IT security
When: Tuesday 10 October, at 12.30 in the afternoon
Where: Università Ca’ Foscari, Via Torino, 155 – 30170 Venezia Mestre Sala Conferenze del campus scientifico
What to expect:
- Insight into the CISPA goals
- High Level Study courses and exchange programmes
- Excellent Research environment
- Various job opportunities for qualified individuals
19/07/2017 – Talks by Mauro Tempesta, Francesco Palmarini, Heider Wahsheh, Marco Squarcina
The program of the day will be:
11.00 Mauro Tempesta
11.20 Francesco Palmarini
11.40 Heider Wahsheh
14.00 Marco Squarcina
Titles and abstracts follow:
Title: Run-time Attack Detection in Cryptographic APIs
Speaker: Marco Squarcina
Abstract:
Cryptographic APIs are often vulnerable to attacks that compromise
sensitive cryptographic keys. In the literature we find many proposals
for preventing or mitigating such attacks but they typically require to
modify the API or to configure it in a way that might break existing
applications. This makes it hard to adopt such proposals, especially
because security APIs are often used in highly sensitive settings, such
as financial and critical infrastructures, where systems are rarely
modified and legacy applications are very common. In this talk we
propose a different approach. We introduce an effective method to
monitor existing cryptographic systems in order to detect, and possibly
prevent, the leakage of sensitive cryptographic keys. The method
collects logs for various devices and cryptographic services and is able
to detect, offline, any leakage of sensitive keys, under the assumption
that a key fingerprint is provided for each sensitive key. We define key
security formally and we prove that the method is sound, complete and
efficient. We also show that without key fingerprinting completeness is
lost, i.e., some attacks cannot be detected. We discuss possible
practical implementations and we develop a proof-of-concept log analysis
tool for PKCS#11 that is able to detect, on a significant fragment of
the API, all key-management attacks from the literature.
14/07/2017 – Talk by Matus Namec
Title: Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans Fingerprinting
Time: 11:00
Location: Skype call
Type: Research Result
Speaker: Matus Nemec
Abstract:
We measure the popularity of cryptographic libraries in large datasets of RSA public keys. We do so by improving a recently proposed method based on biases introduced by alternative implementations of prime selection in different cryptographic libraries. We extend the previous work by applying statistical inference to approximate a share of libraries matching an observed distribution of RSA keys in an inspected dataset (e.g., Internet-wide scan of TLS handshakes). The sensitivity of our method is sufficient to detect transient events such as a periodic insertion of keys from a specific library into Certificate Transparency logs and inconsistencies in archived datasets.
We apply the method on keys from multiple Internet-wide scans collected in years 2010 through 2017, on Certificate Transparency logs and on separate datasets for PGP keys and SSH keys. The results quantify a strong dominance of OpenSSL with more than 84% TLS keys for Alexa 1M domains, steadily increasing since the first measurement. OpenSSL is even more popular for GitHub client-side SSH keys, with a share larger than 96%. Surprisingly, new certificates inserted in Certificate Transparency logs on certain days contain more than 20% keys most likely originating from Java libraries, while TLS scans contain less than 5% of such keys.
Since the ground truth is not known, we compared our measurements with other estimates and simulated different scenarios to evaluate the accuracy of our method. To our best knowledge, this is the first accurate measurement of the popularity of cryptographic libraries not based on proxy information like web server fingerprinting, but directly on the number of observed unique keys.
